Re: Blocking change to permissive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2012 12:34 PM, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a
> setting in system-config-selinux) that would block root from using
> setenforce to change from enforcing to permissive mode.
> 
> I can't seem to find it now on F17. I haven't figured out the
> correct combo to find this via google.
> 
> I tested the secure_mode boolean, but that didn't appear to work. 
> Nothing else in the list looked like it would block changing to 
> permisive mode.
> 
> Is this setting gone now? If not can someone point me to what it is
> or documentation about it?
> 
> Thanks. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
You need to turn off unconfined_t user to make this work, especially
as root, and then use sysadm_t.


# semanage boolean -l | grep secure
secure_mode                    (off  ,  off)  disallow programs, such
as newrole, from transitioning to administrative user domains.
secure_mode_policyload         (off  ,  off)  prevent all confined
domains from loading policy, setting enforcing mode, and changing
boolean values.  Set this to true and you have to reboot to set it back
secure_mode_insmod             (off  ,  off)  disallow programs and
users from transitioning to insmod domain.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9FNQ8ACgkQrlYvE4MpobPM0gCfe+L1uMnUc5J93H+uA8fd3LFQ
ttkAoOAyCPvArDqX0+L2GYqsyAN36XqK
=KTaX
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux